Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

IE 8 adware, hijacked links, limited page functionality [Solved]

Started by msujedi , Jun 14 2013 09:55 AM

This topic is locked

#16
Buddierdl

Posted 24 June 2013 - 07:08 AM

Trusted Helper

Malware Removal
2,524 posts

Sorry for the delay over the weekend.

Let's try this to see if we can get the scan to run. We may be looking at a reinstall of IE.

Please download Complete Internet Repair to your desktop and run it.

Posted Image

Please check the following boxes and click "Go."

Reset Internet Protocol
Repair Winsock
Renew Internet Connections
Flush DNS Resolver Cache
Repair Internet Explorer
Repair SSL / HTTPS / Cryptography
Reset Windows Firewall Configuration

Please copy and paste the log that appears in the window at the bottom of the screen.

#17
msujedi

Posted 24 June 2013 - 02:47 PM

Member

Topic Starter
Member
61 posts

Scare averted! I completed CIR as instructed. After the reboot, I was unable to use IE. Starting IE brought up an IE window with my homepage url ... but just an unresponsive blank white page. I had no use of the internet on my desktop. I had to save the logs to a flashdrive, then access IE on my laptop in order to paste them below. I do have the CIR program saved to my desktop.

I tinkered around ... went to internet options through control panel. Nothing was selected in 'connections', so I checked 'Automatically detect settings' in LAN settings. Then, on my unresponsive blank white homepage, I was able to get to 'Tools' and 'reopen last browsing session'. That brought up an active homepage. All links were active, but I still didn't have use of my 'favorites'. After making an initial edit to this post, my favorites became active again. I believe I have full use of IE again.

Next step(s)?

./
(o o)
--------------------------------------oOOo-(_)-oOOo--------------------------------------
[24/06/2013 15:50:49] Resetting all TCP/IP Interfaces, Please wait.....
-----------------------------------------------------------------------------------------
[24/06/2013 15:50:52] TCP/IP Stack reset successful.
[24/06/2013 15:50:52] TCP/IP Reset log located @ [C:\Documents and Settings\Jed\Desktop\cintrep\cintrep\Logging\CIRReset.log]
[24/06/2013 15:50:53] TCP/IP interfaces reset successful.
[24/06/2013 15:50:54] The TCP/IP v6 protocol might not be installed.
[24/06/2013 15:50:54] Click on 'Commands' then 'Install IP6 protocol' to install TCP/IP v6.
[24/06/2013 15:50:54] You may need to restart your computer for the settings to take effect.
[24/06/2013 15:50:54] Finished resetting the Internet Protocol (TCP/IP).

-----------------------------------------------------------------------------------------
[24/06/2013 15:50:54] Attempting to reset Winsock catalog, Please wait.....
-----------------------------------------------------------------------------------------
[24/06/2013 15:50:57] Successfully reset the Winsock Catalog.
[24/06/2013 15:50:57] Finished repairing Winsock

-----------------------------------------------------------------------------------------
[24/06/2013 15:50:57] Releasing TCP/IP connections, Please wait.....
-----------------------------------------------------------------------------------------
[24/06/2013 15:50:58] Successfully released TCP/IP connections.

-----------------------------------------------------------------------------------------
[24/06/2013 15:50:58] Renewing TCP/IP connections, Please wait.....
-----------------------------------------------------------------------------------------
[24/06/2013 15:51:01] Successfully renewed TCP/IP adapters.

-----------------------------------------------------------------------------------------
[24/06/2013 15:51:01] Configuring the Windows Event Log Service, Please wait.....
-----------------------------------------------------------------------------------------
[24/06/2013 15:51:02] Windows Event Log Service Configured.
[24/06/2013 15:51:02] Starting the Windows Event Log Service.....
[24/06/2013 15:51:02] Windows Event Log Service Started Successfully.

-----------------------------------------------------------------------------------------
[24/06/2013 15:51:02] Flushing DNS Resolver Cache, Please wait.....
-----------------------------------------------------------------------------------------
[24/06/2013 15:51:02] Successfully flushed DNS Resolver Cache.
[24/06/2013 15:51:02] Refreshing all DHCP leases and re-registering DNS names, Please wait.....
[24/06/2013 15:51:03] Registration of the DNS resource records has been initiated.
[24/06/2013 15:51:03] Note: Any errors will be reported in the 'Event Viewer' in about 15 minutes.
[24/06/2013 15:51:03] Note: Click on 'File' and then 'Event Viewer...' to open the Event Viewer.

-----------------------------------------------------------------------------------------
[24/06/2013 15:51:03] Repairing Internet Explorer 8.0.6001, Please wait.....
-----------------------------------------------------------------------------------------
[24/06/2013 15:51:07] RegSvr32.exe: 'actxprxy.dll' registration succeeded.
[24/06/2013 15:51:07] RegSvr32.exe: 'asctrls.ocx' registration succeeded.
[24/06/2013 15:51:08] RegSvr32.exe: 'browseui.dll' registration succeeded.
[24/06/2013 15:51:09] RegSvr32.exe: 'cdfview.dll' registration succeeded.
[24/06/2013 15:51:09] RegSvr32.exe: 'comcat.dll' registration succeeded.
[24/06/2013 15:51:10] RegSvr32.exe: 'comctl32.dll' registration succeeded.
[24/06/2013 15:51:10] RegSvr32.exe: 'corpol.dll' registration succeeded.
[24/06/2013 15:51:10] RegSvr32.exe: 'cryptdlg.dll' registration succeeded.
[24/06/2013 15:51:10] RegSvr32.exe: '"C:\Program Files\Internet Explorer\custsat.dll"' Specified module not found
[24/06/2013 15:51:11] RegSvr32.exe: 'digest.dll' registration succeeded.
[24/06/2013 15:51:11] RegSvr32.exe: 'dispex.dll' registration succeeded.
[24/06/2013 15:51:12] RegSvr32.exe: 'dxtmsft.dll' registration succeeded.
[24/06/2013 15:51:12] RegSvr32.exe: 'dxtrans.dll' registration succeeded.
[24/06/2013 15:51:12] RegSvr32.exe: 'extmgr.dll' registration succeeded.
[24/06/2013 15:51:13] RegSvr32.exe: '"C:\Program Files\Internet Explorer\hmmapi.dll"' registration succeeded.
[24/06/2013 15:51:13] RegSvr32.exe: 'hlink.dll' registration succeeded.
[24/06/2013 15:51:13] RegSvr32.exe: 'ieaksie.dll' registration succeeded.
[24/06/2013 15:51:13] RegSvr32.exe: 'ieapfltr.dll' registration succeeded.
[24/06/2013 15:51:14] RegSvr32.exe: 'iedkcs32.dll' registration succeeded.
[24/06/2013 15:51:14] RegSvr32.exe: '"C:\Program Files\Internet Explorer\iedvtool.dll"' registration succeeded.
[24/06/2013 15:51:14] RegSvr32.exe: 'iedvtool.dll' Specified module not found
[24/06/2013 15:51:14] RegSvr32.exe: 'ieframe.dll' registration succeeded.
[24/06/2013 15:51:15] RegSvr32.exe: 'iepeers.dll' registration succeeded.
[24/06/2013 15:51:15] RegSvr32.exe: '"C:\Program Files\Internet Explorer\ieproxy.dll"' registration succeeded.
[24/06/2013 15:51:15] RegSvr32.exe: 'ieproxy.dll' Specified module not found
[24/06/2013 15:51:16] RegSvr32.exe: 'iesetup.dll' Module loaded but entry-point DllRegisterServer was not found.
[24/06/2013 15:51:16] RegSvr32.exe: 'imgutil.dll' Module loaded but entry-point DllRegisterServer was not found.
[24/06/2013 15:51:17] RegSvr32.exe: 'inetcpl.cpl' Module loaded but entry-point DllRegisterServer was not found.
[24/06/2013 15:51:17] RegSvr32.exe: 'inetcpl.cpl' registration succeeded.
[24/06/2013 15:52:48] RegSvr32.exe: 'initpki.dll' registration succeeded.
[24/06/2013 15:52:48] RegSvr32.exe: 'inseng.dll' Module loaded but entry-point DllRegisterServer was not found.
[24/06/2013 15:52:49] RegSvr32.exe: 'jscript.dll' registration succeeded.
[24/06/2013 15:52:50] RegSvr32.exe: 'licmgr10.dll' registration succeeded.
[24/06/2013 15:52:51] RegSvr32.exe: 'mlang.dll' registration succeeded.
[24/06/2013 15:52:53] RegSvr32.exe: 'mobsync.dll' registration succeeded.
[24/06/2013 15:52:53] RegSvr32.exe: 'msapsspc.dll' Module loaded but entry-point DllRegisterServer was not found.
[24/06/2013 15:52:54] RegSvr32.exe: 'mscoree.dll' registration succeeded.
[24/06/2013 15:52:55] RegSvr32.exe: 'mscorier.dll' Module loaded but entry-point DllRegisterServer was not found.
[24/06/2013 15:52:55] RegSvr32.exe: 'mscories.dll' Module loaded but entry-point DllRegisterServer was not found.
[24/06/2013 15:52:55] RegSvr32.exe: 'msdbg2.dll' registration succeeded.
[24/06/2013 15:52:55] RegSvr32.exe: 'mshta.exe' Module loaded but entry-point DllRegisterServer was not found.
[24/06/2013 15:52:55] RegSvr32.exe: 'mshtml.dll' Module loaded but entry-point DllRegisterServer was not found.
[24/06/2013 15:52:56] RegSvr32.exe: 'mshtmled.dll' registration succeeded.
[24/06/2013 15:52:56] RegSvr32.exe: 'msident.dll' registration succeeded.
[24/06/2013 15:52:56] RegSvr32.exe: 'msieftp.dll' registration succeeded.
[24/06/2013 15:52:56] RegSvr32.exe: 'msnsspc.dll' Module loaded but entry-point DllRegisterServer was not found.
[24/06/2013 15:52:56] RegSvr32.exe: 'msr2c.dll' registration succeeded.
[24/06/2013 15:52:56] RegSvr32.exe: 'msrating.dll' Module loaded but entry-point DllRegisterServer was not found.
[24/06/2013 15:52:56] RegSvr32.exe: 'mstime.dll' registration succeeded.
[24/06/2013 15:52:57] RegSvr32.exe: 'msxml.dll' registration succeeded.
[24/06/2013 15:52:57] RegSvr32.exe: 'ole32.dll' registration succeeded.
[24/06/2013 15:52:57] RegSvr32.exe: 'oleacc.dll' registration succeeded.
[24/06/2013 15:52:57] RegSvr32.exe: 'occache.dll' Module loaded but entry-point DllRegisterServer was not found.
[24/06/2013 15:52:57] RegSvr32.exe: 'oleaut32.dll' registration succeeded.
[24/06/2013 15:52:58] RegSvr32.exe: '"C:\Program Files\Internet Explorer\pdm.dll"' registration succeeded.
[24/06/2013 15:52:58] RegSvr32.exe: 'plugin.ocx' Specified module not found
[24/06/2013 15:52:58] RegSvr32.exe: 'pngfilt.dll' Module loaded but entry-point DllRegisterServer was not found.
[24/06/2013 15:52:58] RegSvr32.exe: 'proctexe.ocx' registration succeeded.
[24/06/2013 15:52:58] RegSvr32.exe: 'scrobj.dll' Error number: 0x80070005
[24/06/2013 15:52:59] RegSvr32.exe: 'sendmail.dll' registration succeeded.
[24/06/2013 15:52:59] RegSvr32.exe: 'setupwbv.dll' Specified module not found
[24/06/2013 15:52:59] RegSvr32.exe: 'shdocvw.dll' registration succeeded.
[24/06/2013 15:52:59] RegSvr32.exe: 'tdc.ocx' registration succeeded.
[24/06/2013 15:52:59] RegSvr32.exe: 'url.dll' Module loaded but entry-point DllRegisterServer was not found.
[24/06/2013 15:53:00] RegSvr32.exe: 'urlmon.dll' registration succeeded.
[24/06/2013 15:53:00] RegSvr32.exe: 'urlmon.dll,NI,HKLM' Specified module not found
[24/06/2013 15:53:00] RegSvr32.exe: 'vbscript.dll' registration succeeded.
[24/06/2013 15:53:00] RegSvr32.exe: '"C:\Program Files\microsoft shared\vgx\vgx.dll"' Specified module not found
[24/06/2013 15:53:00] RegSvr32.exe: 'webcheck.dll' Module loaded but entry-point DllRegisterServer was not found.
[24/06/2013 15:53:00] Fixing 'New tabs page cannot display content because it cannot access the controls'.
[24/06/2013 15:53:00] This is a result of a bug in shdocvw.dll.
[24/06/2013 15:53:00] Registering Outlook Express files.....
[24/06/2013 15:53:01] RegSvr32.exe: '"C:\Program Files\Outlook Express\msoe.dll"' registration succeeded.
[24/06/2013 15:53:01] RegSvr32.exe: '"C:\Program Files\Outlook Express\oeimport.dll"' registration succeeded.
[24/06/2013 15:53:01] RegSvr32.exe: '"C:\Program Files\Outlook Express\oemiglib.dll"' registration succeeded.
[24/06/2013 15:53:02] RegSvr32.exe: '"C:\Program Files\Outlook Express\wabfind.dll"' registration succeeded.
[24/06/2013 15:53:02] RegSvr32.exe: '"C:\Program Files\Outlook Express\wabimp.dll"' registration succeeded.
[24/06/2013 15:53:02] Finished repairing Internet Explorer 8.0.6001

-----------------------------------------------------------------------------------------
[24/06/2013 15:53:02] Repairing SSL / HTTPS / Cryptography service, Please wait.....
-----------------------------------------------------------------------------------------
[24/06/2013 15:53:02] Configuring the Cryptographic Service.....
[24/06/2013 15:53:03] Cryptographic Service Configured.
[24/06/2013 15:53:03] Stopping the Cryptographic Service.....
[24/06/2013 15:53:03] Cryptographic service Stopped Successfully.
[24/06/2013 15:53:03] Clearing [C:\WINDOWS\system32\CatRoot].....
[24/06/2013 15:53:03] [C:\WINDOWS\system32\CatRoot] cleared.
[24/06/2013 15:53:03] Re-registering SSL / HTTPS / Cryptography DLLs.....
[24/06/2013 15:53:04] RegSvr32.exe: 'cryptdlg.dll' registration succeeded.
[24/06/2013 15:53:04] RegSvr32.exe: 'cryptext.dll' registration succeeded.
[24/06/2013 15:53:04] RegSvr32.exe: 'cryptui.dll' registration succeeded.
[24/06/2013 15:53:05] RegSvr32.exe: 'dssenh.dll' registration succeeded.
[24/06/2013 15:53:06] RegSvr32.exe: 'gpkcsp.dll' registration succeeded.
[24/06/2013 15:53:29] RegSvr32.exe: 'initpki.dll' registration succeeded.
[24/06/2013 15:53:29] RegSvr32.exe: 'licdll.dll' registration succeeded.
[24/06/2013 15:53:29] RegSvr32.exe: 'mssign32.dll' registration succeeded.
[24/06/2013 15:53:30] RegSvr32.exe: 'mssip32.dll' registration succeeded.
[24/06/2013 15:53:30] RegSvr32.exe: 'regwizc.dll' registration succeeded.
[24/06/2013 15:53:30] RegSvr32.exe: 'rsaenh.dll' registration succeeded.
[24/06/2013 15:53:31] RegSvr32.exe: 'scardssp.dll' registration succeeded.
[24/06/2013 15:53:31] RegSvr32.exe: 'sccbase.dll' registration succeeded.
[24/06/2013 15:53:31] RegSvr32.exe: 'scecli.dll' registration succeeded.
[24/06/2013 15:53:32] RegSvr32.exe: 'slbcsp.dll' registration succeeded.
[24/06/2013 15:53:32] RegSvr32.exe: 'softpub.dll' registration succeeded.
[24/06/2013 15:53:32] RegSvr32.exe: 'winhttp.dll' registration succeeded.
[24/06/2013 15:53:32] RegSvr32.exe: 'wintrust.dll' registration succeeded.
[24/06/2013 15:53:32] SSL / HTTPS / Cryptography DLLs re-registered.
[24/06/2013 15:53:32] Restarting the Cryptographic Service.....
[24/06/2013 15:53:32] Cryptographic Service restarted.
[24/06/2013 15:53:32] Finished repairing SSL / HTTPS / Cryptography service.

-----------------------------------------------------------------------------------------
[24/06/2013 15:53:32] Resetting the Windows Firewall configuraton, Please wait.....
-----------------------------------------------------------------------------------------
[24/06/2013 15:53:34] Windows Firewall configuration reset successful.
[24/06/2013 15:53:34] Finished resetting the Windows Firewall configuraton.

-----------------------------------------------------------------------------------------
[24/06/2013 15:53:34] You will need to reboot your computer before the settings will take effect.
-----------------------------------------------------------------------------------------
[24/06/2013 15:53:45] Your computer is restarting now.....

-----------------------------------------------------------------------------------------

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{24DD9A51-E129-4314-B444-639DB6E4705C}\EnableDhcp
old REG_DWORD = 0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{24DD9A51-E129-4314-B444-639DB6E4705C}\IpAddress
old REG_MULTI_SZ =
169.254.139.1

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{24DD9A51-E129-4314-B444-639DB6E4705C}\RawIpAllowedProtocols
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{24DD9A51-E129-4314-B444-639DB6E4705C}\SubnetMask
old REG_MULTI_SZ =
255.255.255.0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{24DD9A51-E129-4314-B444-639DB6E4705C}\TcpAllowedPorts
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{24DD9A51-E129-4314-B444-639DB6E4705C}\UdpAllowedPorts
old REG_MULTI_SZ =
0

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{50505416-8C0B-4C07-9FE1-0BE54A3A4224}\IpAutoconfigurationAddress
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{50505416-8C0B-4C07-9FE1-0BE54A3A4224}\IpAutoconfigurationMask
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{50505416-8C0B-4C07-9FE1-0BE54A3A4224}\IpAutoconfigurationSeed
reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{50505416-8C0B-4C07-9FE1-0BE54A3A4224}\RawIpAllowedProtocols
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{50505416-8C0B-4C07-9FE1-0BE54A3A4224}\TcpAllowedPorts
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{50505416-8C0B-4C07-9FE1-0BE54A3A4224}\UdpAllowedPorts
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5D50E112-E4AD-4D06-8D23-2265338CA387}\EnableDhcp
old REG_DWORD = 0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5D50E112-E4AD-4D06-8D23-2265338CA387}\IpAddress
old REG_MULTI_SZ =
169.254.139.1

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5D50E112-E4AD-4D06-8D23-2265338CA387}\IpAutoconfigurationAddress
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5D50E112-E4AD-4D06-8D23-2265338CA387}\IpAutoconfigurationMask
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5D50E112-E4AD-4D06-8D23-2265338CA387}\IpAutoconfigurationSeed
reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5D50E112-E4AD-4D06-8D23-2265338CA387}\RawIpAllowedProtocols
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5D50E112-E4AD-4D06-8D23-2265338CA387}\SubnetMask
old REG_MULTI_SZ =
255.255.255.0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5D50E112-E4AD-4D06-8D23-2265338CA387}\TcpAllowedPorts
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5D50E112-E4AD-4D06-8D23-2265338CA387}\UdpAllowedPorts
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C0795098-4143-4D6E-929A-799C40C9EAB7}\RawIpAllowedProtocols
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C0795098-4143-4D6E-929A-799C40C9EAB7}\TcpAllowedPorts
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C0795098-4143-4D6E-929A-799C40C9EAB7}\UdpAllowedPorts
old REG_MULTI_SZ =
0

<completed>

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{50505416-8C0B-4C07-9FE1-0BE54A3A4224}\IpAutoconfigurationAddress
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{50505416-8C0B-4C07-9FE1-0BE54A3A4224}\IpAutoconfigurationMask
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{50505416-8C0B-4C07-9FE1-0BE54A3A4224}\IpAutoconfigurationSeed
<completed>

Edited by msujedi, 24 June 2013 - 04:09 PM.

#18
Buddierdl

Posted 24 June 2013 - 04:06 PM

Trusted Helper

Malware Removal
2,524 posts

Just saw your edit. So IE is working fine now?

Can you try ESET again?

Would you be open to installing Firefox as a second browser (we will still fix IE)? It is always good to have a backup.

#19
msujedi

Posted 24 June 2013 - 06:24 PM

Member

Topic Starter
Member
61 posts

Yes, IE is working well again. However, I am still receiving the same message when I disable my Antivirus software and then attempt to run ESET or Bitdefender.
"A problem with this webpage caused Internet Explorer to close and reopen the tab."

I'm open to installing Firefox as a back-up browser.

#20
Buddierdl

Posted 24 June 2013 - 06:28 PM

Trusted Helper

Malware Removal
2,524 posts

Can you try Firefox and see if you can run the scan from there?

#21
msujedi

Posted 25 June 2013 - 09:07 AM

Member

Topic Starter
Member
61 posts

I installed Firefox (and like it so far). I was able to run ESET through Firefox. Log below (or the 3 found threats at least) ...

C:\Program Files\WinFF\Installer.exe a variant of Win32/Bundled.Toolbar.Ask application
C:\System Volume Information\_restore{12326759-7AD5-415C-9069-BFBBBA929DD0}\RP262\A0044940.exe a variant of Win32/BundleInstaller.C application
C:\System Volume Information\_restore{12326759-7AD5-415C-9069-BFBBBA929DD0}\RP291\A0058477.exe probably a variant of Win32/Bundled.Toolbar.Ask application

But, again, my J:drive vanished from my computer. It's drive letter did not show up in Disk Management. I tinkered around with a few scans, and restarts, and it came back. However, I'm not sure why it has been unavailable, or what causes it to come back ... as no approach has worked consistently.

Edited by msujedi, 25 June 2013 - 01:42 PM.

#22
Buddierdl

Posted 25 June 2013 - 06:18 PM

Trusted Helper

Malware Removal
2,524 posts

I was just about to ask about J. It may be that the HD is on the blink, so lets run a test. But first, let's get rid of the last threat.

Please be aware that this fix will delete your temporary files. If the virus has "hidden" any of your files, please do not run the fix, but stop and let me know.

Start OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands
[createrestorepoint]

:Files
C:\Program Files\WinFF\Installer.exe

:Commands
[emptytemp]

Then click the Run Fix button at the top
Let the program run unhindered.
Post the log it produces in your next reply. The log should be saved in C:\_OTL\MovedFiles and should be named with numbers describing the date and time it was run.

3. Check Disk

Click Start then Computer and Right click the J: drive and select Properties
Select the Tools Tab. Under Error Checking click Check now
Check both boxes Automatically fix.... and Scan for and attempt..... and click Start
This can take many hours. Do not power off if it looks stuck this is normal. It will finish

After it finishes, download and run this script and the chkdsk log will open. Please post it in your next reply.

#23
msujedi

Posted 27 June 2013 - 05:25 AM

Member

Topic Starter
Member
61 posts

J:drive has been hit or miss. It may just be a coincidence that it is showing signs of dying at the same time as I began running the scans and fixes to remove malware. When the drive does show itself, I've begun copying its contents to another drive.

OTL and Check Disk logs below.

All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== FILES ==========
C:\Program Files\WinFF\Installer.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Jed
->Temp folder emptied: 1125352 bytes
->Temporary Internet Files folder emptied: 51746941 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 614 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: Mariah

User: NetworkService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33237 bytes
->Flash cache emptied: 0 bytes

User: Wendy
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Wendy.HOME-STUDY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3997703 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 54.00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 06262013_145635

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Jed\Local Settings\Temp\~DF919C.tmp not found!
File\Folder C:\Documents and Settings\Jed\Local Settings\Temp\~DF91C8.tmp not found!
File\Folder C:\Documents and Settings\Jed\Local Settings\Temp\~DF9281.tmp not found!
File\Folder C:\Documents and Settings\Jed\Local Settings\Temp\~DF9299.tmp not found!
File\Folder C:\Documents and Settings\Jed\Local Settings\Temp\~DF9385.tmp not found!
File\Folder C:\Documents and Settings\Jed\Local Settings\Temp\~DF9398.tmp not found!
C:\Documents and Settings\Jed\Local Settings\Temporary Internet Files\Content.IE5\Y10R2N3R\page__st__15[1].htm moved successfully.
C:\Documents and Settings\Jed\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_348.dat not found!

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

ListChkdskResult by SleepyDude v0.1.6 Beta | 17-06-2013

------< Log generate on 6/27/2013 7:21:13 AM >------
Category: 0
Computer Name: HOME-STUDY
Event Code: 1001
Record Number: 15845
Source Name: Winlogon
Time Written: 20130626153832.000000-240
Event Type: information
User:
Message: Checking file system on J:
The type of the file system is NTFS.
Volume label is Photos, Music.

One of your disks needs to be checked for consistency. You
may cancel the disk check, but it is strongly recommended
that you continue.
Windows will now check the disk.
The USA check value, 0x0, at block 0x3 is incorrect.
The expected value is 0x548.
The USA check value, 0x0, at block 0x3 is incorrect.
The expected value is 0x5f7.
The USA check value, 0x0, at block 0x3 is incorrect.
The expected value is 0x548.
The USA check value, 0x0, at block 0x3 is incorrect.
The expected value is 0x5f7.
Cleaning up minor inconsistencies on the drive.
CHKDSK is recovering lost files.
The USA check value, 0x0, at block 0x3 is incorrect.
The expected value is 0x548.
The USA check value, 0x0, at block 0x3 is incorrect.
The expected value is 0x5f7.
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
Windows has made corrections to the file system.

732572000 KB total disk space.
121333852 KB in 109200 files.
43640 KB in 9388 indexes.
0 KB in bad sectors.
208900 KB in use by the system.
65536 KB occupied by the log file.
610985608 KB available on disk.

4096 bytes in each allocation unit.
183143000 total allocation units on disk.
152746402 allocation units available on disk.

Internal Info:
d0 d1 01 00 48 cf 01 00 53 ad 02 00 00 00 00 00 ....H...S.......
84 7f 00 00 00 00 00 00 2b 00 00 00 00 00 00 00 ........+.......
80 90 20 29 00 00 00 00 5a 48 18 7b 01 00 00 00 .. )....ZH.{....
52 da 8b 29 00 00 00 00 00 00 00 00 00 00 00 00 R..)............
00 00 00 00 00 00 00 00 08 34 e6 0d 02 00 00 00 .........4......
99 9e 36 00 00 00 00 00 18 41 07 00 90 aa 01 00 ..6......A......
00 00 00 00 00 70 a1 ed 1c 00 00 00 ac 24 00 00 .....p.......$..

-----------------------------------------------------------------------
Category: 0
Computer Name: HOME-STUDY
Event Code: 1001
Record Number: 15800
Source Name: Winlogon
Time Written: 20130626130748.000000-240
Event Type: information
User:
Message: Checking file system on J:
The type of the file system is NTFS.
Volume label is Photos, Music.

One of your disks needs to be checked for consistency. You
may cancel the disk check, but it is strongly recommended
that you continue.
Windows will now check the disk.
The USA check value, 0x0, at block 0x3 is incorrect.
The expected value is 0x548.
The USA check value, 0x0, at block 0x3 is incorrect.
The expected value is 0x5f7.
The USA check value, 0x0, at block 0x3 is incorrect.
The expected value is 0x548.
The USA check value, 0x0, at block 0x3 is incorrect.
The expected value is 0x5f7.
The USA check value, 0x0, at block 0x3 is incorrect.
The expected value is 0x548.
The USA check value, 0x0, at block 0x3 is incorrect.
The expected value is 0x5f7.
Cleaning up 1 unused index entries from index $SII of file 0x9.
Cleaning up 1 unused index entries from index $SDH of file 0x9.
Cleaning up 1 unused security descriptors.
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.

732572000 KB total disk space.
121333848 KB in 109199 files.
43640 KB in 9388 indexes.
0 KB in bad sectors.
208900 KB in use by the system.
65536 KB occupied by the log file.
610985612 KB available on disk.

4096 bytes in each allocation unit.
183143000 total allocation units on disk.
152746403 allocation units available on disk.

Internal Info:
d0 d1 01 00 47 cf 01 00 51 ad 02 00 00 00 00 00 ....G...Q.......
84 7f 00 00 00 00 00 00 2c 00 00 00 00 00 00 00 ........,.......
30 e7 74 28 00 00 00 00 84 6d 84 cf 00 00 00 00 0.t(.....m......
da f2 22 29 00 00 00 00 00 00 00 00 00 00 00 00 ..")............
00 00 00 00 00 00 00 00 96 2b 2c 52 01 00 00 00 .........+,R....
99 9e 36 00 00 00 00 00 18 41 07 00 8f aa 01 00 ..6......A......
00 00 00 00 00 60 a1 ed 1c 00 00 00 ac 24 00 00 .....`.......$..

-----------------------------------------------------------------------
Category: 0
Computer Name: HOME-STUDY
Event Code: 1001
Record Number: 15779
Source Name: Winlogon
Time Written: 20130626074300.000000-240
Event Type: information
User:
Message: Checking file system on J:
The type of the file system is NTFS.
Volume label is Photos, Music.

One of your disks needs to be checked for consistency. You
may cancel the disk check, but it is strongly recommended
that you continue.
Windows will now check the disk.
The USA check value, 0x0, at block 0x3 is incorrect.
The expected value is 0x548.
The USA check value, 0x0, at block 0x3 is incorrect.
The expected value is 0x5f7.
The USA check value, 0x0, at block 0x3 is incorrect.
The expected value is 0x548.
The USA check value, 0x0, at block 0x3 is incorrect.
The expected value is 0x5f7.
The USA check value, 0x0, at block 0x3 is incorrect.
The expected value is 0x548.
The USA check value, 0x0, at block 0x3 is incorrect.
The expected value is 0x5f7.
Cleaning up 7 unused index entries from index $SII of file 0x9.
Cleaning up 7 unused index entries from index $SDH of file 0x9.
Cleaning up 7 unused security descriptors.
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.

732572000 KB total disk space.
121333844 KB in 109198 files.
43640 KB in 9387 indexes.
0 KB in bad sectors.
208900 KB in use by the system.
65536 KB occupied by the log file.
610985616 KB available on disk.

4096 bytes in each allocation unit.
183143000 total allocation units on disk.
152746404 allocation units available on disk.

Internal Info:
d0 d1 01 00 45 cf 01 00 4f ad 02 00 00 00 00 00 ....E...O.......
84 7f 00 00 00 00 00 00 32 00 00 00 00 00 00 00 ........2.......
e6 aa 35 0c 00 00 00 00 c6 fe 01 9c 01 00 00 00 ..5.............
d2 43 f3 28 00 00 00 00 00 00 00 00 00 00 00 00 .C.(............
00 00 00 00 00 00 00 00 7c eb b2 01 02 00 00 00 ........|.......
99 9e 36 00 00 00 00 00 18 41 07 00 8e aa 01 00 ..6......A......
00 00 00 00 00 50 a1 ed 1c 00 00 00 ab 24 00 00 .....P.......$..

-----------------------------------------------------------------------
Category: 0
Computer Name: HOME-STUDY
Event Code: 1001
Record Number: 15234
Source Name: Winlogon
Time Written: 20130621172407.000000-240
Event Type: information
User:
Message: Checking file system on J:
The type of the file system is NTFS.
Volume label is Photos, Music.

One of your disks needs to be checked for consistency. You
may cancel the disk check, but it is strongly recommended
that you continue.
Windows will now check the disk.
The USA check value, 0x0, at block 0x3 is incorrect.
The expected value is 0x548.
The USA check value, 0x0, at block 0x3 is incorrect.
The expected value is 0x5f7.
The USA check value, 0x0, at block 0x3 is incorrect.
The expected value is 0x548.
The USA check value, 0x0, at block 0x3 is incorrect.
The expected value is 0x5f7.
Cleaning up minor inconsistencies on the drive.
The USA check value, 0x0, at block 0x3 is incorrect.
The expected value is 0x548.
The USA check value, 0x0, at block 0x3 is incorrect.
The expected value is 0x5f7.
Cleaning up 26 unused index entries from index $SII of file 0x9.
Cleaning up 26 unused index entries from index $SDH of file 0x9.
Cleaning up 26 unused security descriptors.
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.

732572000 KB total disk space.
121339400 KB in 109194 files.
43640 KB in 9384 indexes.
0 KB in bad sectors.
208900 KB in use by the system.
65536 KB occupied by the log file.
610980060 KB available on disk.

4096 bytes in each allocation unit.
183143000 total allocation units on disk.
152745015 allocation units available on disk.

Internal Info:
d0 d1 01 00 3e cf 01 00 45 ad 02 00 00 00 00 00 ....>...E.......
83 7f 00 00 00 00 00 00 44 00 00 00 00 00 00 00 ........D.......
3a 95 60 0c 00 00 00 00 74 5a db 36 01 00 00 00 :.`.....tZ.6....
fa 81 b0 28 00 00 00 00 00 00 00 00 00 00 00 00 ...(............
00 00 00 00 00 00 00 00 3e e6 6a 9c 01 00 00 00 ........>.j.....
99 9e 36 00 00 00 00 00 18 41 07 00 8a aa 01 00 ..6......A......
00 00 00 00 00 20 f8 ed 1c 00 00 00 a8 24 00 00 ..... .......$..

-----------------------------------------------------------------------
Category: 0
Computer Name: HOME-STUDY
Event Code: 1001
Record Number: 14180
Source Name: Winlogon
Time Written: 20130613070452.000000-240
Event Type: information
User:
Message: Checking file system on J:
The type of the file system is NTFS.
Volume label is Photos, Music.

One of your disks needs to be checked for consistency. You
may cancel the disk check, but it is strongly recommended
that you continue.
Windows will now check the disk.
The USA check value, 0x0, at block 0x3 is incorrect.
The expected value is 0x547.
The multi-sector header signature in file 0x1c2be is incorrect.
42 41 41 44 30 00 03 00 28 9d 7d 30 01 00 00 00 BAAD0...(.}0....
0a 00 02 00 38 00 03 00 50 02 00 00 00 04 00 00 ....8...P.......
Deleting corrupt file record segment 115390.
The USA check value, 0x0, at block 0x3 is incorrect.
The expected value is 0x5f7.
The USA check value, 0x0, at block 0x3 is incorrect.
The expected value is 0x5f7.
Index entry 2011 May of index $I30 in file 0x1d points to unused file 0x1c2be.
Deleting index entry 2011 May in index $I30 of file 29.
Index entry 2011MA~2 of index $I30 in file 0x1d points to unused file 0x1c2be.
Deleting index entry 2011MA~2 in index $I30 of file 29.
Cleaning up minor inconsistencies on the drive.
CHKDSK is recovering lost files.
The USA check value, 0x0, at block 0x3 is incorrect.
The expected value is 0x5f7.
Cleaning up 12 unused index entries from index $SII of file 0x9.
Cleaning up 12 unused index entries from index $SDH of file 0x9.
Cleaning up 12 unused security descriptors.
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
Correcting errors in the master file table's (MFT) BITMAP attribute.
Correcting errors in the Volume Bitmap.
Windows has made corrections to the file system.

732572000 KB total disk space.
121077796 KB in 109287 files.
43620 KB in 9371 indexes.
0 KB in bad sectors.
208892 KB in use by the system.
65536 KB occupied by the log file.
611241692 KB available on disk.

4096 bytes in each allocation unit.
183143000 total allocation units on disk.
152810423 allocation units available on disk.

Internal Info:
d0 d1 01 00 8c cf 01 00 6a ad 02 00 00 00 00 00 ........j.......
7f 7f 00 00 00 00 00 00 30 00 00 00 00 00 00 00 ........0.......
f6 40 31 29 00 00 00 00 ee 60 8f a8 00 00 00 00 .@1).....`......
e4 05 dc 2a 00 00 00 00 00 00 00 00 00 00 00 00 ...*............
00 00 00 00 00 00 00 00 c2 80 f3 3b 01 00 00 00 ...........;....
99 9e 36 00 00 00 00 00 18 41 07 00 e7 aa 01 00 ..6......A......
00 00 00 00 00 90 00 de 1c 00 00 00 9b 24 00 00 .............$..

-----------------------------------------------------------------------

#24
Buddierdl

Posted 27 June 2013 - 07:29 AM

Trusted Helper

Malware Removal
2,524 posts

I'm going to ask a tech to look at the chkdsk log. In the meantime, is everything else okay?

#25
msujedi

Posted 27 June 2013 - 11:50 AM

Member

Topic Starter
Member
61 posts

Yes, everything else seems to be running fine still. However, SUPERAntiSpyware used to pick up anywhere from 0 to 6 tracking cookies. After the IE repair and installing Firefox, it now picks up roughly 40 tracking cookies when I run a quick scan. This is despite the fact that I have not been on the internet much. I probably just need to change some of the IE security settings, but I thought I should mention it.

#26
Buddierdl

Posted 28 June 2013 - 07:37 AM

Trusted Helper

Malware Removal
2,524 posts

This site gives you some details about security settings for cookies in Internet Explorer. Please note that some sites require cookies to work properly.

After talking with a tech, I think it would be best to back up your data on J: before running any more diagnostics. Have you already done so? If you would like, I have a set of instructions for using a bootable linux CD to back up the data. This would put less stress on the HD than doing it from within Windows. Let me know.

#27
msujedi

Posted 28 June 2013 - 11:32 AM

Member

Topic Starter
Member
61 posts

Feel free to give me my next steps. I will do them as soon as my J:drive is backed up.

I've been backing it up, groups of folders at a time. It makes a light sabre sort of sound periodically, and stops working if I try to back up too much at once. I have the most important documents backed up, and I should have it completely backed up by later tonight.

I have a drive for my OS and programs, a drive for various work and home documents, and a drive for video files. I intend to replace the work & home drive in the near future.

#28
Buddierdl

Posted 30 June 2013 - 11:14 AM

Trusted Helper

Malware Removal
2,524 posts

Hi msujedi,

I would definitely recommend replacing the J: drive once you back up the data. If you can no longer access it through Windows, I can give you some instructions for using a live linux CD to backup the data.

Other than that and if you don't have any more questions…

Congratulations.

Your computer now appears to be clean. Please complete the followings steps to finalize the cleaning process.

Please update these programs, as old versions pose a security risk.

Java -> You have the latest version, but please take note of the warning below:

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article and this article.
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

If you do need java, then be sure to keep it updated and also please remove these two old versions, which no longer need to be installed. You can remove them from the Add/Remove Programs menu of the Control Panel:

Java™ 6 Update 30
Java SE Development Kit 7 Update 9
Adobe Reader -> You can get the latest version here.

I would recommend securing Adobe Reader against the latest exploits as follows:
- Launch Adobe Reader.
- Click on Edit and select Preferences.
- On the Left, click on the Javascript category and Uncheck Enable Acrobat Javascript.
- Click on the Security (Enhanced) category and Uncheck Automatically trust sites from my Win OS security zones.
- Click on the Trust Manager category and Uncheck Allow opening of non-PDF file attachments with external applications.
- Click the OK button.
Adobe Flash -> Make sure you have the latest version here.

Clean up OTL:

Open OTL and select the "CleanUp" button.
Allow the computer to reboot.

Delete possibly infected restore points. Your computer may have saved a restore point while it was infected, so we need to delete the old restore points and create a new, clean one.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

Create a new, clean System Restore point which you can use in case of future system problems:
Press Start >> All Programs >> Accessories >>System Tools >> System Restore
Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close
Now remove old, infected System Restore points:
Next click Start >> Run and type cleanmgr in the box and press OK
Ensure the boxes for Recycle Bin, Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.
Select the More Options tab, under System Restore press Clean up... and say Yes to the prompt
Press OK and Yes to confirm

Reset SP3 Firewall: Make sure you don't have any open ports in your firewall.
Click on Start >> Run... and cut/paste in the following and click on OK

firewall.cpl

Click on the Advanced tab >> Restore Defaults >> At the prompt click on Yes >> OK
Now click on the General tab >> select On(recommended) >> OK.

Ensure that Windows is always updated. Keeping Windows updated is very important to prevent security vulnerabilities. I recommend turning on automatic updates following the instructions below:

First, click on Start and click on Control Panel.
Double-click on Automatic Updates to bring up the configuration dialog. If you're in Category view, you'll have to click on Security Center.
Select the Automatic (recommended) option and click on OK at the bottom of the window.

Empty temp files. I would recommend doing this every so often to free up some space on your computer.

Download TFC to your desktop

Open the file and close any other windows.
It will close all programs itself when run, make sure to let it run uninterrupted.
Click the Start button to begin the process. The program should not take long to finish its job
Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Always ensure that your firewall and anti-virus program are updated and running. These are your first line of defense against infection.

Make sure that you keep all of your programs updated. Out-of-date programs can make your computer more vulnerable to infection. Software manufacturers release updates to fix security problems as they are discovered. Secunia Personal Software Inspector, free to download here, is a good program that will scan your computer looking for programs that need to be updated.

This article has good information about how computers get infected. You can read it for good tips on staying clean and safe.